There are two main lines of cryptographic secure audit logging techniques.
Symmetric Cryptography based Primitives: In one line, several symmetric cryptography based secure audit logging techniques have been proposed [10, 12, 21, 27, 28]. These techniques mainly rely on Message Authentication Codes [4], hash chains [17], and Merkle-hash trees [26]. A common system architecture in these schemes is that, the signers (a.k.a, loggers) share a symmetric key with a trusted server, and uploads cryptographically secure audit logs to this trusted server. This server acts as an auditor, and verifies the authenticity of log entries by using the secret keys shared with the signers.
Many of these techniques are near-optimal efficient in terms computation and communication overhead due to their reliance on highly efficiency symmetric primitives. Some of these techniques also achieve signer-side (i.e., logger side) compromise resiliency via an implementation of forward-secure symmetric MACs with hash-chains [21]. Some of these techniques can also offer “all-or-nothing” features, wherein an adversary cannot selectively delete log entries from a log trail without being detected. Moreover, these techniques can achieve a post-quantum security, since they rely on symmetric primitives [1].
However, the symmetric cryptography based secure logging techniques have the following drawbacks: (i) They cannot achieve non-repudiation and public verifiability, since the verifier shares the same key with signer(s). That is, the verifier server can easily generate an authentication tag on behalf of any signer of its choice, since it has all the shared keys. Remark that, the lack of nonrepudiation is a significant drawback for many logging applications (e.g., financial and law audits) that need a dispute resolution mechanism.
Non-repudiation also alleviates the liability on verifiers, since they cannot be accused of creating fake authentication tags. (ii) The direct application of these techniques to secure logging might create vulnerabilities against active adversaries. Specifically, if the verifier is compromised by an active adversary (e.g., a malware or insider collusion), the security of all signers, with whom the verifier shares symmetric keys, are also compromised.
Public Key Cryptography based Primitives: In another line, public key cryptography based secure audit logging techniques have been proposed (e.g., [3, 13, 15, 22, 23, 32, 33]). These schemes are mainly based on digital signatures [4], which can guarantee public verifiability and non-repudiation properties. Moreover, since they rely on public keys for verification, they by default achieve verifier compromise resiliency and availability (anybody can verify the logs without relying on a trusted party). Many of these schemes (e.g., [20]) either adapt or create new forward-secure (e.g., [2]) and/or aggregate signature scheme [7] to offer signer-side compromise-resiliency and compactness. The signature aggregation offers an added benefit of append-only feature, wherein one can only add to a trail of audit logs, but cannot selectively delete from it without being detected.
Despite their merits, public key based secure logging techniques have the following drawbacks: (i) All these techniques rely on highly costly operations such as exponentiations, cryptographic pairing and elliptic curve scalar multiplications for per item to be signed or verified. While some schemes are efficient for either signer or verifier side, in generally they are several order of magnitude costlier than their symmetric key counterparts. (ii) Their key and signature sizes are significantly larger than that of symmetric cryptography based counterparts. (iii) All these alternatives rely on either factorization based or discrete logarithm based primitives, and therefore cannot offer a post-quantum security. A potential post-quantum secure variants of such forward-secure and/or aggregate schemes are potentially even more costly in terms of key and signature sizes than their traditional counterparts.